Passports and profiles, please: EU may exact digital toll at its borders

In late July, the European Commission launched a public consultation on the “Smart Borders” package, a programme of the EU Agenda on Migration that poses a serious risk for the fundamental rights to privacy and data protection. While the EU must take urgent action to improve its treatment of refugees and other migrants, this package of proposals would adversely impact the privacy of everyone living in or traveling to Europe.

The Commission first proposed the Smart Borders package in February 2013. The package includes several proposals for border control of non-EU citizens travelling to and from the EU. The first review of the Smart Borders package by the European Parliament and the Council was completed in February 2014 without success, perhaps due to the technical complexity, cost, and civil liberties implications of the border control systems mapped out in the proposals. The Commission is therefore conducting a consultation to collect views and opinions from travellers, EU citizens, non-governmental organizations, and public authorities to help prepare a revised proposal to be advanced later this year, which should address these concerns.

The package under revision fails to ensure the protection of travellers’ personal data and right to privacy, and we encourage all stakeholders to voice their concerns through the ongoing consultation by October 29.

The consultation seeks respondents’ views on several aspects of the Smart Borders package, from visa policies to the collection of travellers’ data. As part of our mission to defend and extend the digital rights of users at risk around the world, Access will be providing comments solely on the elements of this package related to the protection of the rights to privacy and data protection.

Mass collection and retention of data

As part of the Smart Borders package, the EU seeks to establish a new Entry-Exit System in the EU (EES). This system would extend biometric ID checks – currently reserved for travellers from countries requiring visas – to all non-EU nationals entering or leaving the EU. Biometric ID checks would involve collecting 10 fingerprints, even if the Commission is conducting a consultation as to whether it should collect not just fingerprints but also facial images.

The objective of this registration system is to help the authorities identify travellers who have stayed longer than permitted, so-called “overstayers”. However, once in place, this system would enable profiling on a massive scale, including the tracking of location data, and the creation of a huge database to store the collected biometric and personal data. After collection, data would be retained for a maximum period of 181 days after the traveller exits the EU and for a period of five years for a person who has “overstayed”. The retained data would be accessible to law enforcement authorities for the purpose preventing, detecting, or investigating terrorist offences or other serious criminal offences. It is unclear at the moment whether judicial warrants would be required and independent oversight mechanism put in place to prevent possible access abuse.

The mass collection and retention of personal data, including sensitive data, creates serious risks for the protection of the fundamental right to privacy. It is unclear how the Commission would ensure the data are protected at all times from breach, abuse, or other mismanagement. The consultation states that “access would be granted [to law enforcement authorities] under strict legal prerequisites in full compliance with fundamental rights”, however, there is no information regarding the nature of these compliance criteria, the technique used to prevent any abuse, or the measures established to ensure data security, if any.

While the necessity and proportionality of these systems has not been demonstrated, there are plenty of examples of database abuse by law enforcement officials or third parties. Furthermore, when the EU Data Retention Directive was overturned in April 2014, the EU Court of Justice concluded that the blanket retention of data is no longer authorised in the EU, because it constitutes a violation of the fundamental rights to privacy and data protection. Despite this ruling, privacy invasive proposals like the Smart Borders package and the EU Passenger Name Record proposal are pushed forward.

Like the Smart Borders package, the EU PNR proposal would enable surveillance of travellers, since it requires the collection and retention of the passenger data of everyone entering or leaving the EU, whether or not they are EU citizens. The two proposed programmes share other characteristics, such as opening the possibility of law enforcement to access these data with limited or unknown oversight. Combined, they would establish mass scale surveillance of travellers and enable profiling of their activities.

Trick and treating

The proposed Entry/Exit system would be coupled with a Registered Traveller Programme (RTP), which aims to facilitate border crossings for frequent and so-called “low-risk” travellers via a special fast-track lane. But this treat has a trick: travellers would pay to undergo an extensive pre-screening and pre-vetting procedure which includes collecting their personal data, including sensitive data.

The Registered Traveller Programme would add another set of data related to the traveller, in addition to the biometric and passport data, to determine whether a person “fits” the criteria and can use the fast lane. Through the consultation, the Commission is asking travellers to “please indicate the maximum fee [they] would accept to pay to benefit from the procedure,” with options that go from 20 euros to “more than 100 euros”. So it appears that we would be forced to pay to make our own surveillance more convenient, yet we cannot entirely opt out of profiling.

Next steps: It’s time to speak out

The consultation will be open until October 29. While the survey format does not allow for lengthy responses, Access will be submitting a short response to this consultation to highlight the risks that these systems represent to the fundamental rights to privacy and data protection. We encourage you to join us by submitting a response. Together, we must push back against establishing a Big Brother at the EU borders.